From: Dr. Stephen Henson <steve@openssl.org>
Date: Sun, 14 Nov 2010 13:50:55 +0000 (+0000)
Subject: Get correct GOST private key instead of just assuming the last one is
X-Git-Tag: OpenSSL-fips-2_0-rc1~950
X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=e827b58711ce508f5445a8460f857c71c8ffedcd

Get correct GOST private key instead of just assuming the last one is
correct: this isn't always true if we have more than one certificate.
---

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index de3f9d27a7..49751a0048 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -2621,12 +2621,19 @@ int ssl3_get_client_key_exchange(SSL *s)
 			{
 			int ret = 0;
 			EVP_PKEY_CTX *pkey_ctx;
-			EVP_PKEY *client_pub_pkey = NULL;
+			EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
 			unsigned char premaster_secret[32], *start;
-			size_t outlen=32, inlen;			
+			size_t outlen=32, inlen;
+			unsigned long alg_a;
 
 			/* Get our certificate private key*/
-			pkey_ctx = EVP_PKEY_CTX_new(s->cert->key->privatekey,NULL);	
+			alg_a = s->s3->tmp.new_cipher->algorithm_auth;
+			if (alg_a & SSL_aGOST94)
+				pk = s->cert->pkeys[SSL_PKEY_GOST94].privatekey;
+			else if (alg_a & SSL_aGOST01)
+				pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
+
+			pkey_ctx = EVP_PKEY_CTX_new(pk,NULL);
 			EVP_PKEY_decrypt_init(pkey_ctx);
 			/* If client certificate is present and is of the same type, maybe
 			 * use it for key exchange.  Don't mind errors from